Currently, there are two conditions in the configuration templates:

• https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L195-L209
• https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L112-L116

The idea is to enable IPsec offload only if it is configured in the CLI. However, this does not work as intended because the linux-cp plugin copies SAs and policies from the kernel even if the feature is not configured. What actually happens is:

• without enable-route-mode-ipsec config, the default policy-based mode is used by linux-cp
• SAs and policies are installed into VPP
• Policy-based IPsec does not work, and traffic cannot pass through the router properly

We need to add an option to linux-cp that will allow us to enable/disable IPsec offload in a proper way (probably, by ignoring netlink XFRM messages).

I don't think we need to enable/disable this dynamically - the ability to control this from the VPP configuration file should be sufficient. This approach would also eliminate the need for a graceful shutdown after the switch from on to off.